Set the ACL with API by non-admin user

Similar Messages

• Is there a way to set the ACLs on a folder so that users cannot copy a file?

  Hello,
  Is there a way to set the ACLs on a folder so that users cannot copy a file?
  I have a customer that wants to put an employee handbook into a FORMS FOLDER. But he doesn't want users to be able to copy the file into other folders or onto removable media.
  Admittedly, I have never run into this before and my testing hasn't yielded an answer...
  Any Ideas?
  Thanks again,
  Robert

  Use third party software for security management (http://www.wave.com/ ,
  http://www.devicelock.com/ ,
  https://www.lumension.com/, etc) . Standard access rights that come with operating system do not go beyong permission/share schema.
  Rgds
  Milos

• Allowing non-admin users to use certain programs without authenticating

  I would like to allow certain programs to be run by non-admin users without forcing them to authenticate as an admin. Here is my example: I'm running Parallels Desktop with a VM to Windows. I want to allow my children to use this VM to access Windows programs. But, when starting a VM, the Mac OS requires an administrator to authenticate. Needless to say, I don't want my children to be administrators on the machine. I've been assured that this is not an issue related to how Parallels works (from the support team at Parallels). Instead, this is an issue with the Mac. i'm not sure one way or the other, but it seams useful to be able to (in general) allow non-admin users to use certain programs without forcing them to authenicate as administrators.
  There is only one summary in the Mac help on allowing non-admin users to change the time zone settings by directly editing the /etc/authorization file. Does anybody know if this procedure would work for other programs?
  Thanks!

  If you know what the requested right is, that procedure can be applied to any right in an application with a graphic interface by duplicating and modifying entries. The contents of that file don't control usage of sudo in the Terminal.
  (25922)

• ColorSync and non-admin users

  Is there a way to allow non-admin users to change ColorSync profiles for printers using the ColorSync Utility? Our non-admin users can launch the utility and see all the printers listed in the "Devices" section but the option to change the default profile for any particular printer is greyed out.
  Thanks.

  Kurt is far more expert on this than I am, so take his advice first.
  Hi,
  There are three things to consider...
  #1. Profiles in use, like Fast User Switching being on and another User logged in, cannot be changed/edited.
  #2. There are at least 2 locations for the .ICCs...
  /Library/ColorSync/Profiles/Displays/
  /Users/YourUserName/Library/ColorSync/Profiles/
  Profiles in the 1st location cannot be edited. ICCs in the 2nd location could have copies made & the copies moved to another User's folder & Rights/Privileges changed accordingly.
  #3. See what "Scope" Colorsync reports... I think it has to do whether all users was selected when installing drivers, not certain on that though.

• Allow Non-Admin Users Update Software Installed In Their Computers

  Hello All;
  At our location, we have several users who are not always in the office. In some instances, the imac or macbook pro ask for several updates such as Office 2011, and Adobe CS 5 and 6. And, the second issue, these users are not part of the administrator group or ever will be the administrator of their computers.
  Is it possible to adjust the authorization file to allow non-admin users to run these sort of updates?
  or
  Is there a product on the market that can push updates to all these different programs?
  Thanks Kindly

  Is there a product on the market that can push updates to all these different programs?
  Apple Remote Desktop, for one.

• Non-admin users can't view GAL with Outlook Connector

  Non-admin users are unable to view the Global Address List with Outlook Connector. When I give a test user admin rights (in our portal), the user can view the GAL. The VLV index is setup and functioning correctly for admin users. My versions are Directory Server 5.2 Patch 4, JES 2005Q4, Outlook Connector 7.1.222.4.
  I've reviewed the ACIs on o=cp per http://docs.sun.com/app/docs/doc/819-5200/gbnse?a=view and verified that they are getting passed down to the child entries. I added a new ACI for a specfic test user, but I see no effect when I run an ldapsearch as that user. Here are the ACIs:
  1. Allow Calendar Administrators to proxy
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar administrators to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(groupdn = "ldap:///cn=Calendar Administrators, ou=Groups, o=cp");)
  2. Allow Calendar users to read and search other users
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";
  allow (read,search)(userdn = "ldap:///uid=*,ou=People,o=pcc.edu,o=cp");)
  3. Allow test users to proxy
  (targetattr = "mail || uid || icsCalendar || givenName || sn || cn")
  (targetfilter = (|(objectClass=icscalendaruser)(objectClass=icscalendarresource)))
  (version 3.0;acl "Allow test users to proxy - product=ics,class=admin,num=2,version=1";
  allow (proxy)(userdn = "ldap:///uid=299899598658566,ou=People,o=pcc.edu,o=cp");)
  Here's the log for an ldapsearch as a non-admin user:
  -bash-3.00$ grep "conn=386080 op=1 msgId=2" access
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - SORT cn
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - VLV 1:1:dpelinka 2964:11852 (0)
  [02/Jan/2008:15:15:44 -0800] conn=386080 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  When the same search is run by an admin user, nentires=3.
  Here is the test ldapsearch:
  ldapsearch -h vmpt1 -p 389 -D "uid=299899598658566,ou=People,o=pcc.edu,o=cp" -w {password} \
  -b "ou=People,o=pcc.edu,o=cp" -x -s "sub" -S "cn" \
  -G "1:1:dpelinka" "pdsRole=Employee" uid
  David,

  Jay,
  Here's a full set of logs. The first set is from my test search; the second from an actual OC search. I don't see anything different between the admin and non-admin except for the number of entries returned.
  ADMIN TEST SEARCH
  -bash-3.00$ ./test_vlvindex.shl
  version: 1
  dn: uid=375308679900788,ou=People,o=pcc.edu,o=cp
  uid: 375308679900788
  dn: uid=534616896694744,ou=People,o=pcc.edu,o=cp
  uid: 534616896694744
  dn: uid=506947161967075,ou=People,o=pcc.edu,o=cp
  uid: 506947161967075
  index 2973 content count 11893
  DS log-bash-3.00$ grep "conn=1964292 op=1" access
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - SORT cn
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
  [07/Jan/2008:16:36:02 -0800] conn=1964292 op=1 msgId=2 - RESULT err=0 tag=101 nentries=3 etime=0
  NON-ADMIN TEST SEARCH
  -bash-3.00$ ./test_vlvindex.shl
  index 2973 content count 11893
  DS log-bash-3.00$ grep "conn=1973983 op=1 msgId=2" access
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid"
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - SORT cn
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - VLV 1:1:dpelinka 2973:11893 (0)
  [07/Jan/2008:16:37:53 -0800] conn=1973983 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  ADMIN OC SEARCH
  -bash-3.00$ grep -i vlv access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
  -bash-3.00$ grep "conn=1000785 op=14 msgId=15" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=14 msgId=15 - RESULT err=0 tag=101 nentries=9 etime=0
  -bash-3.00$ grep "conn=1000785 op=15" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - VLV 0:10:9:0 10:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=15 msgId=16 - RESULT err=0 tag=101 nentries=11 etime=0
  -bash-3.00$ grep "conn=1000785 op=16 msgId=17" access
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - SORT cn
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - VLV 0:17:20:0 21:11893 (0)
  [07/Jan/2008:16:42:58 -0800] conn=1000785 op=16 msgId=17 - RESULT err=0 tag=101 nentries=18 etime=0
  NON-ADMIN OC SEARCH
  -bash-3.00$ grep -i vlv access
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
  -bash-3.00$ grep "conn=2220710 op=1" access
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="cn mail uid objectClass"
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - SORT cn
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - VLV 1:1:1:0 2:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
  -bash-3.00$ grep "conn=2220710 op=2" access.20080107-171147
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SRCH base="ou=people,o=pcc.edu,o=cp" scope=2 filter="(pdsRole=Employee)" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass"
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - SORT cn
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - VLV 0:8:0:0 1:11893 (0)
  [07/Jan/2008:17:26:04 -0800] conn=2220710 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0
  -bash-3.00$
  David.

• Permission Error when copy files into cmsdk using NFS with non admin user

  Hi All,
  We are using CMSDK with NFS protocol and we have created different users with ACL to control different access for users.
  When we copy files into cmsdk folders using one of the admin user this works fine, even a multiple copy works fine. But when we use any non admin user , some time copy commands works but some time it throw a permission deny error. and this is happening very intermittently.
  when we use ftp protocol and ftp file it's all works fine for the both admin & non admin user. Is there any limitation in using CMSDK NFS protocol
  Did any one encouter any similar issue. Any pointers would be of great help.
  Thanks in advance
  Regards,
  Navin

  Hi All,
  We are using CMSDK with NFS protocol and we have created different users with ACL to control different access for users.
  When we copy files into cmsdk folders using one of the admin user this works fine, even a multiple copy works fine. But when we use any non admin user , some time copy commands works but some time it throw a permission deny error. and this is happening very intermittently.
  when we use ftp protocol and ftp file it's all works fine for the both admin & non admin user. Is there any limitation in using CMSDK NFS protocol
  Did any one encouter any similar issue. Any pointers would be of great help.
  Thanks in advance
  Regards,
  Navin

• We have non admin users on Windows 7. They change the homepage and it works for that session. When they close the browser, and restart it again the default homepage is shown.

  Windows 7 Sp3. Using Firefox 7.01
  Non admin users.
  Can change homepage to whatever they like and it will work.
  BUT when they close firefox and open it again the home page goes back to default setting

  Update.
  This looks to be a mozilla.cfg setting. If I take out the pref("browser.startup.homepage","ourwebpage");
  it loads the basic firefox "FirstPage"
  How do I get around adding a default homepage that can be changed by the user?
  I have tried adding
  defaultPref.. .. then the webpage info.. BUT it retrurns a Failed to read the configuration file. Please contact your system administrator.
  Do I need to create a prefs.js file?
  And if I do how do I get it to work for each new user that logs into that machine?

• Non Admin user can cancel the time machine backup an Admin user started?

  Today I had to do a new time machine backup but as it was running the user was switched to a non admin user but that admin user was able to terminate the backup that Time Machine was running since the panel showed up on their screen. Why is that?

  Barney-15E wrote:
  I wouldn't think it was a bug. If I was a user trying to get something done that was processor intensive, I'd like to be able to stop the backup. As the admin, I wouldn't think missing one backup was a big deal.
  The o.p. didn't seem to agree.
  I'm not sure what I'd think in that situation.
  But it could easily be allowed, for those who want it -- just put the TM icon in the other user's menubar before locking the preferences panel.

• How to hide the page ribbon and quichlaunch for non admin users

  HI
  1 ) how to hide the ribbon in a page in sharepoint 2010 for non administrator users  
  2) how to hide quicklaunch also for non admin users
  in quick lanuch i want to hide links for all site content also.
  i used Document Center Template to create my web application.
  adil

  HI
  i did not get how i use this control 
  <Sharepoint:SPSecurityTrimmedControl
  runat="server"
  PermissionsString="FullMask">
  2
    <div>
  3
      <SharePoint:SPLinkButton
  id="idNavLinkViewAll"
  runat="server"
  NavigateUrl="~site/_layouts/viewlsts.aspx"
  Text="<%$Resources:wss,quiklnch_allcontent%>" AccessKey="<%$Resources:wss,quiklnch_allcontent_AK%>"/>
  4
    </div>
  5
  </SharePoint:SPSecurityTrimmedControl>
  adil

• How to allow access to winrs for non-admin user?

  I have Windows Server 2012 (and Server 2008, but it is next priority) to monitor it using txwinrm. txwinrm library internally is using WinRS protocol. I have to monitor it using least privileged user, but don't know how to configure access for him.
  All I managed to do - is to configure remote Powershell session for my user, but it's look like that winrs and powershell sessions have different security descriptors:
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential Administrator $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  Invoke-Command -ComputerName 192.168.173.206 -Credential (credential lpu1 $pwd) -ScriptBlock { 2 + 2}
  # gives 4
  winrs -r:192.168.173.206 -u:Administrator -p:$pwd 'powershell -command "2+2"'
  # gives 4
  winrs -r:192.168.173.206 -u:lpu1 -p:$pwd 'powershell -command "2+2"'
  # Gives Winrs error: Access is denied.
  Configuration for my user is following:
  (Get-Item WSMan:\localhost\Service\RootSDDL).value
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1141)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
  (Get-PSSessionConfiguration -name Microsoft.Powershell).SecurityDescriptorSddl
  # O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;S-1-5-21-3231263931-1371906242-1889625497-1149)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
  (In each security descriptor my user is given general access to protected object).
  So what security descriptor should I set to make my winrs query work for non-admin user?

  Hi Bunyk,
  I can not recreate the erroe you posted, and please also post the screenshoot in your convenience.
  I tested with a non-domain user but has the local admin permission of the remote computer, and this worked, before running the remote cmdlet in powershell, I also configured the TrustedHosts.
  In addition, the access denied could be also caused to the Protocol Filtering on the remote server, for more detailed information, please refer to this thread:
  winrs error:access is denied
  I hope this helps.

• Acrobat 7 requires admin password at every launch for non admin users?

  acrobat 7 requires admin password at every launch for non admin users?
  any one with a solution or similar problem?
  thanks for any help.

  I've been avidly following all of the threads regarding this issue...yet none of the solutions have worked for me. I've got 11 Mac users that do not use the Creative Suite..only Acrobat, Quark, etc. I've tried installing and re-installing through both Admin and User accounts, I've tried the AdobeBib XML change, I've tried enabling Root and installing, changing permission on the Acrobat folder, etc. all to no avail. I still get asked for Admin Authentication every time Acrobat and Distiller are opened (except on the Admin account side). This is happening on one particular Mac (G4, 1GB Ram, OS 10.4.3) for both Acrobat Standard 6 and 7 as well. The biggest issue that also happens in tandem with the Acrobat installs is the inability to print from Quark. I get the following error when printing: "The process "pictwpstops" terminated unexpectedly on signal 6." Because of the necessity to print Quark documents, I have uninstalled all Acrobat on the machines until we can get a fix. This resolves the printing problem with Quark. The only option left is to set up all users as Admin accounts - which I really do not want to do. Any other suggestions out there? I've got more information available if needed.

• Not able to install ActiveX (OCX) on Non-Admin user in Windows 7 ( internet Explorer 8/9)

  I need the solution to install ActiveX controls throught CAB file (Micorsoft Cabinet) for non-admin users. Our solution is working for user accounts with adminstrator rights but not for nonadmin users.
  So far we have tried solution given here: http://msdn.microsoft.com/en-us/library/dd433049(v=vs.85).aspx
  and here:
  http://blogs.msdn.com/b/askie/archive/2012/09/27/guidlines-on-implementing-activex-installer-service-axis.aspx
  But we could not succeed. Pls Help !

  Hi,
  Apologize for the late reply and the misunderstanding about the ActiveX download location, we could change the location through the below registries:
  Use Registry Editor to change the "ActiveXCache" value to the location you want in the following registry key:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  Use Registry Editor to change the "0" value to the location you want in the following registry key:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache
     NOTE: The values you enter in steps 1 and 2 must match.
  More information, please check
  How to Change the Download Location for ActiveX Files (registries exists in IE11).
  Regarding the urls that download the cab files into user profile directory, would you mind to share the URL?
  And here is some information regarding inf files:
  About INF File Architecture
  We may check the value of DestDir, DestDir can be set to 10 to place the file into the \Windows directory or to 11 to place the file into the \Windows\System directory. If no value is specified, the file is placed into the \Cache directory.
  Best regards
  Michael Shao
  TechNet Community Support

• Majority of reports missing for non admin users

  I have followed the instructions here (SCCM 2012–Reporting in console for non-admins (Reporting User Role) v2) to allow non admin users the ability to view
  reports in the console. So far, so good. However, when viewing the reports with the non admin user, only about 100 of the 400+ reports appear.
  Am I missing something here?

  The custom reporting one in the link I provided, and also modified versions of the following:
  OS Deployment manager (removed rights to All driver related items (drivers and driver packages), Boot image packages (except read access), Operating system installation packages).
  Application Administrator (removed Application>Approve; Distribition Point>Set Security Scope; Distribution Point Group>Set Security Scope; Global Condition>Set Security Scope)
  The reports missing we care about primarily are Software ones (companies and products and files).

• Borland C++ Delphi application is not able to connect to SQL Server as Non Admin user

  Hi,
  I am working on a Borland C++ and Delphi application. This application connects to  SQL Server and returns database queries results. Once we migrated to windows Server 2003 we have started facing an issue.
  1. IF we login to client application as admin user then this connects properly with SQL Server and returns database queries.But if we connect using Non- Admin users then application is not able to connect SQL Server.
  SQL Server 2008
  Windows Server 2003.
  Can anybody help on this.
  Thanks in Advance.
  Rakesh

  This application is written in Borland C++ and Delphi running on Windows 2003 Server. This  is a Windows GUI based small tool. Basic functionality of the tool is : 1) Once we invoke the tool it connects to DB(SQL Server 2005) and populates a list of
  all the tables present in DB.   2) If we select any table from the list populated in step (1) and provide query parameters, this will return results from Database.
  Issue:  IF we login to the Windows machine as Administrator this application runs perfectly .This application populates the DB tables correctly and returns results from database when queries executed as in step (2)
  But if we login as some other user (like hubapp) then this populates some different set of table which are not from the same database instance .Also the queries does not return any results. In the logs we get following error message : (TiltData is the instance
  name for our Database)
  Msg:Application Exception : Cannot locate or connect to SQL server.Unable to connect: SQL Server is unavailable or does not exist.  Specified SQL
  server not found.Alias:
  TiltData1 occurred in main thread.
  As for the connection string 
        'DATABASE NAME=tiltdata'
        'SERVER NAME=SDV3'
        'USER NAME=sa'
        'OPEN MODE=READ ONLY'
        'SCHEMA CACHE SIZE=8'
        'BLOB EDIT LOGGING='
        'LANGDRIVER='
        'SQLQRYMODE=SERVER'
        'SQLPASSTHRU MODE=NOT SHARED'
        'DATE MODE=0'
        'SCHEMA CACHE TIME=-1'
        'MAX QUERY TIME=300'
        'MAX ROWS=-1'
        'BATCH COUNT=612'
        'ENABLE SCHEMA CACHE=FALSE'
        'SCHEMA CACHE DIR='
        'HOST NAME='
        'APPLICATION NAME=QueryTool'
        'NATIONAL LANG NAME='
        'ENABLE BCD=FALSE'
        'TDS PACKET SIZE=65535'
        'BLOBS TO CACHE=64'
        'BLOB SIZE=32'
        'PASSWORD=jstart')
  Any help is appreciated. I have spent a lot of time on this issue with no results.
  Regards
  Rakesh